Security's Gaping Hole: Policy Enforcement

If you’re like me, you can’t help but shake your head in disbelief every time a big security breach occurs. Let’s see, in recent months alone, we’ve witnessed billions of dollars’ worth of economic impact that weak passwords, failed patch management programs, and improper malware protection have had on the world. Like pro-government politicians passing the same old laws, the answer is simply: add on more layers of policies – that’ll fix the underlying problems. After all, if you make people believe that things are under control on the network, then all is well.

Any IT or security professional with an ounce of common sense knows that’s not true. Yet we keep going down this path of misperception, or better yet, deception. Take, for instance, the following examples where policies are front and center yet there’s little, if nothing, to back them up:

1. Passwords

The Windows domain password enforcement may be in line but rarely are local user, service account, database, Web application, router, etc. passwords covered.

2. Third-party software patching

Most network managers have some semblance of control over Windows passwords but I’ve yet to see any organization that’s patching all the other stuff that matters, namely Java and Adobe Reader and Adobe Flash.

3. Local administrator privilegesIt’s easy to hop onto the no local admin privileges bandwagon but quite another issue to actually enforce it in all the places that matter (i.e. not just workstations but servers, network appliances, etc.). There are too many systems and user accounts and too little time to manage them all.

In many situations, not only is there an absence of enforcement, no one even takes the time to manually validating that the right things are being done through security assessments and audits.

This security policy façade is no doubt taking place in your organization. It’s everywhere, but that doesn’t make it right. Do what you can to put a stop to the false sense of security that’s creating so many problems. Demonstrate to management – and to your users, where necessary – how technology can and must be used to enforce the security policies you have in place. Unlike so many of the unenforceable laws we have in our nation, you
can enforce the majority of your security policies. Yet again, the principle of you cannot secure what you don’t acknowledge applies.

Furthermore, you can’t change the things that you tolerate. The real challenge to making positive changes is that you’re going to have to have ongoing political support and budget from management. If you don’t have these two things then you probably shouldn’t even have the policies in the first place. Why? Once an incident occurs and lawyers get involved, savvy incident responders and expert witnesses will be quick to point out the discrepancies between policy, enforcement, and risk. The breach has already occurred. What you should’ve known and should’ve done is history. If security theater is shown to be the overarching component, then all bets are off. All in all, policies are a necessary – just be careful in your approach.